With just over 100 days left before the application of the new law, the guidance outlines what the European Commission, national data protection authorities and national administrations should still do to bring the preparation to a successful completion.

While the new regulation provides for a single set of rules directly applicable in all Member States, it will still require significant adjustments in certain aspects, like amending existing laws by EU governments or setting up the European Data Protection Board by data protection authorities. The guidance recalls the main innovations, opportunities opened up by the new rules, takes stock of the preparatory work already undertaken and outlines the work still ahead of the European Commission, national data protection authorities and national administrations.

Andrus Ansip, European Commission Vice-President for the Digital Single Market, said: “Our digital future can only be built on trust. Everyone’s privacy has to be protected. Strengthened EU data protection rules will become a reality on 25 May. It is a major step forward and we are committed to making it a success for everyone.”  

Vĕra Jourová, Commissioner for Justice, Consumers and Gender Equality, added:” In today’s world, the way we handle data will determine to a large extent our economic future and personal safety. We need modern rules to respond to new risks, so we call on EU governments, authorities and businesses to use the remaining time efficiently and fulfil their roles in the preparations for the big day.”

Commission calls on EU governments and data protection authorities to be ready and provide support

Since the adoption of the General Data Protection Regulation in May 2016, the Commission has actively engaged with all concerned actors — governments, national authorities, businesses, civil society — to prepare the application of the new rules.

Preparations are progressing at various speeds across Member States. At this stage, only two of them have already adopted the relevant national legislation. Member States should speed up the adoption of national legislation and make sure these measures are in line with the Regulation. They should also ensure they equip their national authorities with the necessary financial and human resources to guarantee their independence and efficiency.

The Commission is dedicating EUR 1.7 million to fund data protection authorities, but also to train data protection professionals. A further EUR 2 million is available to support national authorities in reaching out to businesses, in particular SMEs.

New online tool supporting practical application

Knowledge of the benefits and opportunities brought by the new rules is not evenly spread. There is in particular a need to step up awareness and accompany compliance efforts for SMEs.

Today, the Commission launches a new practical online tool to help citizens, businesses, in particular SMEs, and other organisations to comply and benefit from the new data protection rules.

The Commission will also engage in events organised across the Member States to help the stakeholders in their preparation efforts and inform the citizens about the impact of the Regulation.

Recalling the main innovations and new opportunities

The General Data Protection Regulation enables the free flow of data across the Digital Single Market. It will better protect the privacy of Europeansand reinforce trust and security for consumers, while at the same time opening up new opportunities for businesses, especially smaller ones.

The guidance recalls the main elements of the new data protection rules:

• One set of rules across the continent, guaranteeing legal certainty for businesses and the same data protection level across the EU for citizens.
• Same rules apply to all companies offering services in the EU, even if these companies are based outside the EU.
• Stronger and new rights for citizens: the right to information, access and the right to be forgotten are strengthened. A new right to data portability allows citizens to move their data from one company to the other. This will give companies new business opportunities.
• Stronger protection against data breaches: a company experiencing a data breach, which put individuals at risk, has to notify the data protection authority within 72 hours.
• Rules with teeth and deterrent fines: all data protection authorities will have the power to impose fines for up to EUR 20 million or, in the case of a company, 4% of the worldwide annual turnover.
  

Next steps

In the run up to 25 May, the Commission will continue to actively support Member States, Data Protection Authorities and businesses to ensure the reform is ready to enter into effect. From May 2018 onward, it will monitor how Member States apply the new rules and take appropriate action as necessary. One year after the Regulation enters into application (2019) the Commission will organise an event to take stock of different stakeholders’ experiences of implementing the Regulation. This will also feed into the report the Commission is required to produce by May 2020 on the evaluation and review of the Regulation.

Background

On 6 April 2016, the EU agreed to a major reform of its data protection framework, by adopting the data protection reform package, comprising the General Data Protection Regulation (GDPR) replacing the twenty years old Directive. On 25 May 2018, the new EU-wide data protection rules will become applicable, two years after its adoption and entry into force.

In January 2017, the Commission proposed to align the rules for electronic communications (ePrivacy) with the new world-class standards of the EU’s General Data Protection Regulation. In September 2017, the Commission proposed a new set of rules to govern the free flow of non-personal data in the EU. Together with the already existing rules for personal data, the new measures will enable the storage and processing of non-personal data across the Union to boost the competitiveness of European businesses and to modernise public services. Both proposals still need to be agreed by the European Parliament and Member States.